LastPass in possible password fail

Trent Nouveau, 5th May 2011

LastPass is asking users to change their master password after identifying a brief network traffic "anomaly" from one of its non-critical machines - which apparently resulted in the transmission of an unspecified amount of data.

"[Although anomalies] happen occasionally, we typically identify them as an employee or an automated script. In this case, we couldn't find that root cause," a LastPass rep explained in an official blog post.

"After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction - more traffic was sent from the database compared to what was received on the server."

The LastPass rep conceded the company couldn't account for the anomaly, and would therefore be "paranoid" by assuming the very worst.

"We know roughly the amount of data transferred and that it's big enough to have transferred people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs.

"As a precaution, we're forcing you to change your master password. We're [also] going to want an indication that you're you, by either ensuring that you're coming from an IP block you've used before or by validating your email address. The reason is that if an attacker had your master password through a brute force method, LastPass still wouldn't give access to this theoretical attacker because they wouldn't have access to your email account or your IP."

Nevertheless, the LastPass rep was careful to emphasize that while the company had no actual proof passwords were compromised, it preferred to err on the side of caution.

"It's prudent to assume where there's smoke there could be fire. We're rebuilding the boxes in question and have shut down and moved services from them in the meantime.

"[Remember], the source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself."

"Turns out you might need more than one. Oh well. Despite this potential security breach, LastPass has a strong reputation among the technology-savvy as a rather good piece of password-management software. It allows users to store the multitude of passwords for their various online activities in an encrypted form, accessible only via their master password," said Theriault.

"And for what it's worth, I think LastPass are doing the right thing: they saw something odd. They cannot explain it. There is a risk that sensitive info is in the wrong hands, so they immediately go into action, explain with some detail why they are concerned, and tell you what to do you about it."